src/anyp/TrafficMode.h

   1 #ifndef SQUID_ANYP_TRAFFIC_MODE_H
   2 #define SQUID_ANYP_TRAFFIC_MODE_H
   3
   4 namespace AnyP
   5 {
   6
   7 /**
   8  * Set of 'mode' flags defining types of trafic which can be received.
   9  *
  10  * Use to determine the processing steps which need to be applied
  11  * to this traffic under any special circumstances which may apply.
  12  */
  13 class TrafficMode
  14 {
  15 public:
  16     TrafficMode() : accelSurrogate(false), natIntercept(false), tproxyIntercept(false), tunnelSslBumping(false) {}
  17     TrafficMode(const TrafficMode &rhs) { operator =(rhs); }
  18     TrafficMode &operator =(const TrafficMode &rhs) { memcpy(this, &rhs, sizeof(TrafficMode)); return *this; }
  19
  20     /** marks HTTP accelerator (reverse/surrogate proxy) traffic
  21      *
  22      * Indicating the following are required:
  23      *  - URL translation from relative to absolute form
  24      *  - restriction to origin peer relay recommended
  25      */
  26     bool accelSurrogate;
  27
  28     /** marks ports receiving PROXY protocol traffic
  29      *
  30      * Indicating the following are required:
  31      *  - PROXY protocol magic header
  32      *  - src/dst IP retrieved from magic PROXY header
  33      *  - indirect client IP trust verification is mandatory
  34      *  - TLS is not supported
  35      */
  36     bool proxySurrogate;
  37
  38     /** marks NAT intercepted traffic
  39      *
  40      * Indicating the following are required:
  41      *  - NAT lookups
  42      *  - URL translation from relative to absolute form
  43      *  - Same-Origin verification is mandatory
  44      *  - destination pinning is recommended
  45      *  - authentication prohibited
  46      */
  47     bool natIntercept;
  48
  49     /** marks TPROXY intercepted traffic
  50      *
  51      * Indicating the following are required:
  52      *  - src/dst IP inversion must be performed
  53      *  - client IP should be spoofed if possible
  54      *  - URL translation from relative to absolute form
  55      *  - Same-Origin verification is mandatory
  56      *  - destination pinning is recommended
  57      *  - authentication prohibited
  58      */
  59     bool tproxyIntercept;
  60
  61     /** marks intercept and decryption of CONNECT (tunnel) SSL traffic
  62      *
  63      * Indicating the following are required:
  64      *  - decryption of CONNECT request
  65      *  - URL translation from relative to absolute form
  66      *  - authentication prohibited on unwrapped requests (only on the CONNECT tunnel)
  67      *  - encrypted outbound server connections
  68      *  - peer relay prohibited. TODO: re-encrypt and re-wrap with CONNECT
  69      */
  70     bool tunnelSslBumping;
  71
  72     /** true if the traffic is in any way intercepted
  73      *
  74      */
  75     bool isIntercepted() { return natIntercept||tproxyIntercept ;}
  76 };
  77
  78 } // namespace AnyP
  79
  80 #endif